b'      Evaluation Report\n\n\n\n\nOIG-CA-09-012\nINFORMATION TECHNOLOGY: FMS\xe2\x80\x99s Database Management\nSystems Have Weaknesses in Key Controls\n\nSeptember 29, 2009\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cEvaluation Report.......................................................................................... 4\n\n    Results in Brief ............................................................................................. 6\n\n    Background ................................................................................................. 6\n\n    Findings and Recommendations ..................................................................... 7\n\n        Database Patches Were Not Applied in a Timely Manner .............................. 7\n        Recommendation ..................................................................................... 8\n\n        Database Users Were Granted Excessive Privileges ...................................... 8\n        Recommendation ..................................................................................... 8\n\n        Account and Password Management Was Not Effective ................................ 9\n        Recommendations................................................................................... 10\n\n        Security Controls Over a Legacy System Were Inadequate........................... 10\n        Recommendations................................................................................... 11\n\n\nAppendices\n\n    Appendix     1:      Objectives, Scope, and Methodology ......................................              13\n    Appendix     2:      Management Comments ........................................................           15\n    Appendix     3:      Major Contributors ................................................................    17\n    Appendix     4:      Report Distribution ................................................................   18\n\n\n\n\n                          FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key                           Page 1\n                          Controls(OIG-CA-09-012)\n\x0cAbbreviations\n\n  FMS           Financial Management Service\n  IT            Information Technology\n  NIST          National Institute of Standards and Technology\n  OIG           Office of Inspector General\n\n\n\n\n                FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key   Page 2\n                Controls(OIG-CA-09-012)\n\x0c       This Page Intentionally Left Blank.\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key   Page 3\nControls(OIG-CA-09-012)\n\x0c                                                                            Evaluation\nOIG\nThe Department of the Treasury\n                                                                              Report\nOffice of Inspector General\n\n                  September 29, 2009\n\n                  David A. Lebryk\n                  Commissioner\n                  Financial Management Service\n\n                  The purpose of this evaluation was to assess the security of\n                  Financial Management Service\xe2\x80\x99s (FMS) database management\n                  systems. Our overall objective was to determine if FMS had\n                  security controls over its database servers, which contain sensitive\n                  and vital information, that adequately protect that information\n                  against unauthorized access, manipulation, or theft.\n\n                  To accomplish our objective, we planned to perform a vulnerability\n                  assessment and penetration test of FMS\xe2\x80\x99s database management\n                  systems. Specifically, we planned (1) a discovery scan of FMS\xe2\x80\x99s\n                  primary network to identify databases installed on the FMS\n                  network and to reconcile the results of the scan with FMS\xe2\x80\x99s\n                  database list, (2) an unauthenticated vulnerability scan of selected\n                  databases, (3) an authenticated vulnerability scan of selected\n                  databases, and (4) an exploitation of database vulnerabilities.\n                  Because of the way in which FMS configures its network, we were\n                  not able to execute our plan for discovery scanning and\n                  reconciliation with FMS\xe2\x80\x99s database list. Instead, we relied on a list\n                  of databases provided by FMS and compared it with Treasury\xe2\x80\x99s\n                  system inventory. We selected databases for unauthenticated and\n                  authenticated scanning using a risk-based approach which resulted\n                  in crosscut sample of FMS databases. Furthermore, we performed\n                  automated scanning and manual testing of preproduction databases\n                  and then manually compared the production and preproduction\n                  environments. Since we did not identify any vulnerability that could\n                  be exploited, we did not perform any penetration testing of FMS\xe2\x80\x99s\n                  database management systems.\n\n                  We performed our fieldwork at FMS\xe2\x80\x99s facilities in Hyattsville,\n                  Maryland, from December 2008 through February 2009, in\n\n\n                                                                                      Page 4\n                  FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls\n                  (OIG-CA-09-012)\n\x0c                       accordance with the Council of the Inspectors General on Integrity\n                       and Efficiency\xe2\x80\x99s Quality Standards for Inspections. 1 Appendix 1\n                       contains a detailed description of our objective, scope, and\n                       methodology.\n\n\n\n\n1\n  Pursuant to the Inspector General Reform Act of 2008, the President\'s Council on Integrity and\nEfficiency and the Executive Council on Integrity and Efficiency were combined to create the Council of\nInspectors General on Integrity and Efficiency.\n\n                       FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls         Page 5\n                       (OIG-CA-09-012)\n\x0cResults in Brief\n               We determined that FMS\xe2\x80\x99s database management systems had\n               weaknesses in key security controls and identified areas where\n               FMS should take steps to improve the security controls over its\n               database management systems. Our overall findings were as\n               follows:\n\n               1.   Database patches were not applied in a timely manner.\n               2.   Database users were granted excessive privileges.\n               3.   Account and password management was not effective.\n               4.   Security controls over a legacy system were inadequate.\n\n               To address these weaknesses, we made nine recommendations to\n               the Commissioner of FMS. In a written response, FMS stated they\n               had taken corrective actions for each of the findings, including\n               patching or scheduling patches for all production databases,\n               modifying privilege settings, correcting account passwords, and\n               implementing the recommended controls for the legacy system.\n\nBackground\n               FMS provides centralized payment, collection, and reporting\n               services for the federal government. It is staffed by approximately\n               2,100 career civil servants and disburses more than $1.6 trillion to\n               more than 100 million individuals via social security and verteran\xe2\x80\x99s\n               benefits, income tax refunds, and other federal payments. In\n               addition, it collects more than $3.11 trillion per year in payments\n               on behalf of the federal government. FMS also provides cash\n               management guidance to federal program agencies and collects\n               delinquent debts owed to the federal government.\n\n               To protect the confidentiality, integrity, and availability of sensitive\n               financial data, proper security controls must be in place on FMS\xe2\x80\x99s\n               database systems. These controls are necessary to prevent\n               unauthorized access, use, disclosure, disruption, modification, or\n               destruction of data. Missing, insufficient, improper, misconfigured,\n               or poorly designed controls can be exploited by attackers to gain\n               unauthorized access to databases and the information they contain.\n\n\n               FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 6\n               (OIG-CA-09-012)\n\x0c            Database management systems, which control database operations\n            and security, are complex software programs that require\n            continuous maintenance and patching to ensure protection from\n            vulnerabilities that can allow established security controls to be\n            bypassed. Additionally, because database management systems\n            often have control over the operating system they run on, the host\n            and network security can be compromised when vulnerabilities are\n            present in the database\xe2\x80\x99s front-end interface or in the database\n            management system itself.\n\n\n\nFindings and Recommendations\n\nFinding 1   Database Patches Were Not Applied in a Timely Manner\n\n            We determined that FMS did not apply patches to its database\n            management systems in a timely manner. Specifically, we found\n            that 1 Oracle system had not been patched since January 2006, 6\n            DB2 installations had not been patched since November 2006, 1\n            DB2 installation had not been patched since April 2005, and 1\n            Sybase installation had not been patched since January 2007.\n            While FMS uses a preproduction environment for testing patch\n            changes, we found that the preproduction databases also\n            significantly lagged behind the latest released patches.\n\n            Treasury Department Publication (TD P) 85-01, Treasury IT\n            Security Program, contains department-wide IT security\n            requirements and supporting guidance and requires bureaus to\n            ensure that security patches are tested and installed on a timeline\n            in accordance with the criticality of the patches.\n\n            The vulnerabilities resulting from the missing patches identified\n            could be exploited by a determined attacker to disrupt service on\n            FMS\'s mission-critical database systems. Without these patches,\n            the risk of disruption is increased so that attackers could launch\n            denial of service attacks on FMS database systems or compromise\n            system confidentiality or integrity, thus disrupting access to\n            mission-critical resources.\n\n\n\n             FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 7\n             (OIG-CA-09-012)\n\x0c            Recommendation\n\n            1. We recommend that the Commissioner of FMS, in accordance\n               with TD P 85-01, ensure that patches are tested and installed in\n               a timely manner, commensurate with the criticality of the\n               patches to FMS\xe2\x80\x99s database management systems.\n\nFinding 2   Database Users Were Granted Excessive Privileges\n\n            We identified several instances where users were assigned\n            excessive privileges within FMS\xe2\x80\x99s database management systems.\n            The privileges granted could allow users to (1) create database\n            procedures that allow execution of malicious code; (2) have\n            administrative authority for the database; and (3) read from and\n            write to operating system files.\n\n            National Institute of Standards and Technology (NIST) Special\n            Publication (SP) 800-53 Revision 2 (Rev. 2), Recommended\n            Security Controls for Federal Information Systems, states the\n            following: "[T]he information system enforces the most restrictive\n            set of rights/privileges or accesses needed by users (or processes\n            acting on behalf of users) for the performance of specified tasks.\n            The organization employs the concept of least privilege for specific\n            duties and information systems (including specific ports, protocols,\n            and services) in accordance with risk assessments as necessary to\n            adequately mitigate risk to organizational operations, organizational\n            assets, and individuals."\n\n            Granting excessive privileges to users can allow users or potential\n            attackers to bypass access controls and compromise data\n            confidentiality, integrity, and availability.\n\n            Recommendation\n\n            2. We recommend that the Commissioner of FMS ensure that\n               unnecessary database privileges are removed and that going\n               forward the principle of least privilege is enforced.\n\n\n\n\n            FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 8\n            (OIG-CA-09-012)\n\x0cFinding 3   Account and Password Management Was Not Effective\n\n            We discovered that FMS did not implement proper account\n            management, which could lead to the compromise of system\n            security. Specifically, we found six accounts on the mainframe\n            with passwords that were the same as the user names associated\n            with the respective accounts. While five of the accounts were\n            established for batch processing and did not have rights to log onto\n            the system, one of the accounts did have full interactive logon\n            privileges. The FMS database and mainframe administrators\n            responsible for the system were not aware of these issues and\n            stated they would take immediate actions to address them.\n            However, our discovery of these vulnerabilities indicates that steps\n            to detect such issues, including frequent reviews of system\n            accounts, are not regularly performed. Additionally, we found that\n            an Oracle system allowed remote access connections using a\n            method that did not lock out accounts after a number of invalid\n            password attempts.\n\n            NIST SP 800-53 Rev. 2 states: "The organization manages\n            information system accounts, including establishing, activating,\n            modifying, reviewing, disabling, and removing accounts. The\n            organization reviews information system accounts [at an agency\n            defined period, at least annually]." In addition, TD P 85-01 defines\n            the control period for account reviews as at least annually for user\n            accounts and requires that accounts be locked after three invalid\n            attempts in 120 minutes.\n\n            When accounts and passwords are not administered effectively,\n            the risk of unauthorized users or attackers gaining access to the\n            system with easily guessed passwords is increased. Furthermore,\n            once that access is gained, attackers could create additional\n            accounts to provide themselves a foothold to further access the\n            system by bypassing other security controls. In addition, when\n            accounts on a remote connection are not locked after a set number\n            of invalid password attempts, attackers can continue guessing\n            passwords without being deterred.\n\n\n\n\n            FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 9\n            (OIG-CA-09-012)\n\x0c            Recommendations\n\n            We recommend that the Commissioner of FMS:\n\n            3. Ensure that periodic reviews of system accounts are performed\n               to disable or remove unnecessary accounts, as required by TD P\n               85-01.\n            4. Ensure that service and application accounts do not have the\n               rights to log on to a system interactively.\n            5. Ensure that all accounts have strong passwords.\n            6. Enforce account lockout controls as required by TD P 85-01.\n\nFinding 4   Security Controls Over a Legacy System Were Inadequate\n\n            We performed manual testing on one of FMS\'s legacy production\n            database systems to assess its associated security controls. While\n            this database is no longer used to store business information on\n            new contracts, it is maintained for access and updates to legacy\n            contracts. We found multiple areas where the system did not have\n            adequate security controls, including accounts for users who no\n            longer needed access, database administrator accounts for\n            terminated personnel, end user accounts with assigned\n            administrative privileges, and accounts with no password\n            expiration. Based on our review of the system logs, the system is\n            not frequently used. However, since it is connected to FMS\'s\n            network, it requires proper security controls.\n\n            NIST Federal Information Processing Standard 200, \xe2\x80\x9cMinimum\n            Security Requirements for Federal Information and Information\n            Systems,\xe2\x80\x9d states that federal agencies must meet the minimum\n            security requirements it defines through the use of security\n            controls in accordance with NIST SP 800-53 Rev. 2 which states\n            the following: "[T]he organization manages information system\n            accounts, including establishing, activating, modifying, reviewing,\n            disabling, and removing accounts. The organization reviews\n            information system accounts at an agency defined period, at least\n            annually."TD P 85-01 defines the period for account reviews as \xe2\x80\x9cat\n            least annually\xe2\x80\x9d for user accounts within Treasury.\n\n\n\n\n            FMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 10\n            (OIG-CA-09-012)\n\x0cFailure to properly maintain systems that are connected to a\nnetwork, including infrequently used legacy systems, can provide\nan unmonitored avenue of attack to an otherwise secure network.\nBecause of the missing security controls and unsupported status of\nthe legacy system, the data it contains could be compromised.\n\nRecommendations\n\nWe recommend that the Commissioner of FMS:\n\n7. Review inactive or idle accounts on the legacy systems and\n   remove unnecessary accounts when access is no longer\n   needed.\n8. Enforce account password compliance on legacy systems, as\n   required by TD P 85-01.\n9. Review and remove excessive privileges on legacy system.\n\n\nManagement Response\n\nAs noted in appendix 2, FMS management stated that they have\nalready implemented corrective actions for the identified\nweaknesses and will ensure compliance with Treasury and FMS\npolicies.\n\nOIG Comment\n\nWe agree that the steps FMS stated they have taken are\nresponsive to the intent of our findings and recommendations.\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 11\n(OIG-CA-09-012)\n\x0c                               ******\n\nI would like to extend my appreciation to the Commissioner of FMS\nand to FMS staff for the cooperation and courtesies extended to\nmy staff during the evaluation. If you have any questions, please\ncontact me at (202) 927-5171 or Gerald Steere, IT Specialist, at\n(202) 927-6351. Major contributors to this report are listed in\nappendix 3.\n\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 12\n(OIG-CA-09-012)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nThe purpose of this evaluation was to assess the security of\ndatabase management systems at the Department of the\nTreasury\xe2\x80\x99s Financial Management Service (FMS). Our overall\nobjective was to determine if FMS had security controls over its\ndatabase servers, which contain sensitive and vital information,\nthat adequately protect that information against unauthorized\naccess, manipulation, or theft.\n\nTo accomplish the objective, we planned to perform a vulnerability\nassessment and penetration testing of FMS\xe2\x80\x99s database\nmanagement systems. Specifically, we planned (1) a discovery\nscan of FMS\xe2\x80\x99s primary network to identify databases installed on\nthe FMS network and to reconcile the results of the scan with\nFMS\xe2\x80\x99s database list, (2) an unauthenticated vulnerability scan of\nselected databases, (3) an authenticated vulnerability scan of\nselected databases, and (4) an exploitation of database\nvulnerabilities. Because of the way in which FMS configures its\nnetwork, we were not able to execute our plan for discovery\nscanning and reconciliation with FMS\xe2\x80\x99s database list. Instead, we\nrelied on a list of databases provided by FMS and compared it with\nTreasury\xe2\x80\x99s system inventory. We selected databases for\nunauthenticated and authenticated scanning using a risk-based\napproach which resulted in crosscut sample of FMS databases. We\nchose our sample based on the following factors (in descending\norder of importance):\n\n1. availability of a preproduction databases to scan\n2. database criticality or NIST Federal Information Processing\n   Standard 199 rating, which reflects the impact level of the\n   system on the Agency mission--systems with a high impact\n   level were a priority\n3. vendor of the database management system in use to provide\n   coverage of each system type used by FMS\n4. purpose of the system, as described in FMS\'s inventory\n\nFurthermore, because of the potential disruption to its daily\nbusiness functions, FMS management asked us not to scan\nproduction databases. We agreed, and as an alternative we\nperformed automated scanning and manual testing of\npreproduction databases and then manually compared the\nproduction and preproduction environments. Since we did not\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 13\n(OIG-CA-09-012)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\nidentify any vulnerability that could be exploited, we did not\nperform any penetration testing of FMS\xe2\x80\x99s database management\nsystems.\n\nWe performed our fieldwork at FMS\xe2\x80\x99s facilities in Hyattsville,\nMaryland, from December 2008 through February 2009. We\nconducted our evaluation in accordance with the Council of the\nInspectors General on Integrity and Efficiency\xe2\x80\x99s Quality Standards\nfor Inspections.\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 14\n(OIG-CA-09-012)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 15\n(OIG-CA-09-012)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 16\n(OIG-CA-09-012)\n\x0cAppendix 3\nMajor Contributors\n\n\n\n\nOffice of IT Audits\n\nTram J. Dang, Director\nSusan I. Miller, IT Audit Manager\nGerald J. Steere, IT Specialist (Lead)\nAbdirahman M. Salah, IT Specialist\nJane E. Lee, IT Specialist\nLarissa Klimpel, IT Specialist\nShiela Michel, Referencer\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 17\n(OIG-CA-09-012)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nFinancial Management Service\n\n   Chief Information Officer\n\nDepartment of the Treasury\n\n   Office of Accounting and Internal Control\n   Office of Strategic Planning and Performance Management\n   Office of the Chief Information Officer\n\nOffice of Management and Budget\n\n   Office of Inspector General Budget Examiner\n\n\n\n\nFMS\xe2\x80\x99s Database Management Systems Have Weaknesses in Key Controls   Page 18\n(OIG-CA-09-012)\n\x0c'